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The distinction between safety and liveness properties is a fundamental classification with immediate 
implications on the feasibility and complexity of various monitoring, model checking, and synthesis 
problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose 
behavior is characterized by the interplay of uncontrolled environment inputs and controlled system 
outputs. We show that reactive safety is a strictly larger class of properties than standard safety. 
We provide algorithms for checking if a property, given as a temporal formula or as a word or tree 
automaton, is a reactive safety property and for translating such properties into safety automata. 
Based on this construction, the standard verification and synthesis algorithms for safety properties 
immediately extend to the larger class of reactive safety. 

1 Introduction 

The question whether a certain specified property, given for example as a formula of a temporal logic, 
belongs to the class of safety properties, is of universal interest in verification, synthesis, and monitoring. 
Typically, it is much easier to reason about safety properties than about general temporal properties. 
In deductive verification, safety properties are typically proven by induction on the transition relation, 
while hveness properties require a ranking function that maps the states into a well-founded domain. 
In model checking, checking a safety property corresponds to simple reachability, liveness to the more 
complicated nested reachability. In synthesis, deriving a system that satisfies a safety property involves 
solving safety/reachability games, which is simpler and typically more scalable than solving games with 
more general wimiing conditions such as MuUer or parity. Perhaps most significantly, in runtime analysis, 
safety properties can be checked with a runtime monitor, while one can never conclusively determine that 
a liveness property has been violated after observing only a finite trace. 

We will refer to the standard definition of safety ifTO] |T] as linear-time safety, because it is based 
on the linear-time semantics, where the system and the specification each define a set of infinite words 
over an alphabet of observations. A language of infinite words is a linear-time safety property iff for 
every word w that violates P (i.e., w P), there exists n finite prefix w' of w such that w' also violates 
P, i.e., for all infinite extensions w" of w' it holds that w" P. In this paper, we show that the class of 
safety properties can be significantly extended if, rather than considering words over a single alphabet of 
observations, one explicitly distinguishes between the inputs and the outputs of a reactive system. 

We introduce our new notion of reactive safety by way of an example. Let us use linear-time tem- 
poral logic (LTL) to specify a simple coffee machine with two input bits c (the coffee button) and e 
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(emergency shutdown), and two outputs b (brewing coffee) and / (emitting a failure signal). We spec- 
ify that whenever the user presses the coffee button, brewing must eventually start or a failure must be 
signaled immediately. As an LTL formula, this property can be expressed as foUowsQ 

xifi = G{c^X{fyfb)). (1) 

Additionally, we require that whenever the emergency shutdown button is pressed, brewing stops imme- 
diately (i.e., when the system gives the next output) and permanently: 

Y2 = G{e^XG{^b)). (2) 

Clearly, Y2 is a linear-time safety property and Yi ^ ¥2 is not, because there is no bound on the 
number of steps until the brewing starts after the coffee button was pressed. However, y/i A i//2 is a 
reactive safety property: we can transform Y\ ^ ¥2 into a linear-time safety property A Y2 that is 
equivalent in the sense that any system with input 2^'-'"'^^ and output 2^^'^^ satisfies y/i A i//2 if and only 
if it satisfies y'i ^ ¥2- For ¥1^ safety formula G(c — )• X/) can be used. To see this, observe that 
Y\ specifies that whenever the coffee machine does not immediately respond to a coffee request with 
a failure message, it must eventually brew coffee regardless of the further circumstances. However, if 
the user presses the emergency shutdown button, the system cannot fulfill this task anymore without 
violating 1//2. Thus, the only possibility for the system to satisfy ^ ¥2 is to answer every request with 
an immediate failure message. 

A natural semantic setting for reactive safety is that of branching time, where we view the compu- 
tation of the system as a tree that branches according to the environment actions and where each node 
is labeled with the system's response to a particular sequence of environment actions. Reactive safety 
should, however, not be confused with existing notions of safety for tree properties, which extend safety 
from linear time to branching time by referring to prefix trees rather than prefix words: Manolios and 
Trefler [12,, J3J define a universal safety property as a set P of infinite trees such that for every tree t that 
violates P, there exists a finite prefix tree t' of t such that t' also violates P, i.e., for all infinite extensions 
t" of t' it holds that t" ^ P. The price for referring to prefix trees is that the algorithmic advantages 
of linear-time safety are lost. For example, the branching-time property 6 that states that the system's 
reaction to environment action is different to its reaction to environment action 1 (formally, the set 
of binary trees where the label on the 0-child of the root is different from the label on the 1 -child) is 
universally safe. However, it is impossible to construct a runtime monitor for this property, because the 
monitor cannot follow two branches at the same time. 

The notion of reactive safety applies uniformly to words and trees. Stated in terms of a tree language, 
a set of infinite trees is a reactive safety property iff for every tree t that violates P, there exists a finite 
path w int such that any tree t' that contains w also violates P, i.e., it holds that t' P. We call the node 
that is reached by w the violation starting node of P. Stated in terms of a word language, a set of infinite 
words P is a reactive safety property iff the set of trees whose paths are contained in P (we call this set 
the spread of P) is a reactive safety property. 

The class of reactive safety properties lies strictly between linear-time and branching-time safety: 
every linear-time safety property is also a reactive safety property, because the violating prefix identifies 
a violation starting node; likewise, every reactive safety property is also a universal safety property, 
because the path to the violation starting node is also a finite subtree. As our examples show, the inclusion 
is strict: the coffee machine specification Yi A v/2 is a reactive safety property but not a linear-time safety 
property; the branching-time property is a universal safety property but not a reactive safety property. 

'For this example, we assume that in every clock cycle, the system first generates the output and then reads its input. 
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In fact, one can view reactive safety as the natural connection point between linear-time and 
branching-time safety. As we show later in the paper, reactive safety characterizes precisely the class 
of tree properties whose satisfaction can be checked by testing if all paths satisfy some linear-time safety 
property. Hence, reactive safety captures as much of the generality of branching-time safety as one can 
afford if one wishes to retain the algorithmic advantages of Unear-time safety: All standard constructions 
for the verification and synthesis of linear-time safety properties can still be applied for reactive safety 
properties. 

In the remainder of the paper, we present algorithms for checking if a property, given as a temporal 
formula or as a word or tree automaton, is a reactive safety property and for automatically translating such 
properties into linear-time safety properties, expressed as safety automata. An immediate application of 
the algorithms is specification debugging, where the developer is warned if a property is a reactive safety 
property but not a linear-time safety property. There can be several reasons for such a situation. On 
the one hand, the specification might be erroneous, which should be detected as early as possible in the 
development process. On the other hand, an implicit equivalence, such as the one between Yi ^ ¥2 ^rid 
Yi ^¥2^ may be an intended consequence of the specification. For the developer, this case is also of 
interest as it may be possible to reformulate the specification in a more direct and more concise way; 
understanding the consequences of the specification is also helpful for the subsequent design decisions. 

A second major application of our algorithms is to extend verification, synthesis and monitoring 
methods for linear-time safety to reactive safety. If a specification is a reactive safety property but not 
a linear-time safety property, we automatically construct a safety automaton, which represents a linear- 
time safety property that is equivalent in the sense that it has the same meaning on all systems with the 
same interface (i.e., the same inputs and outputs). The safety automaton can thus replace the original 
property for any verification, synthesis or monitoring purpose. 



Related work. The advantages of safety properties in verification (cf. fTTl|), synthesis (cf. fTP\) and 
runtime monitoring (cf. [5J) are discussed in numerous papers and textbooks. However, determining 
whether a given property is a safety property is also useful independently of these applications. For 
instance, in specification debugging, unintended properties of manually written specifications are to be 
found. Two well-known techniques in this context are vacuity checking [2\, which searches for inconsis- 
tencies and tautologies in the specification, and testing for semantical safety in the linear-time paradigm 
||9l . where LTL formulas that express linear-time safety properties but possibly contain operators like 
until or eventually are identified. Our example specification Y\ A Y2 is neither vacuous nor semantical 
safe in the linear-time paradigm, but still deserves a warning, because it can be stated equivalently as 
the linear-time safety property A i//2- Thus, identifying reactive safety properties can be seen as a 
refinement of these two techniques. 

The game-like view onto the interactions between inputs and outputs, which distinguishes reactive 
safety from the standard linear-time safety, has been used previously in related works. For instance, 
linear-time properties and their respective reactive safety properties in our framework are connected 
by the concept of open implication that was introduced by Greimel, Bloem, Jobstmann and Vardi |[6l. 
A linear-time property has an equivalent reactive safety property if and only if both properties openly 
imply each other. Pnueli, Zaks and Zuck 1201 furthermore applied the game-based viewpoint in the field 
of runtime verification and solved the interface monitoring problem of universal liveness properties. 
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2 Preliminaries 

We consider non-terniinating systems that interact with their environment over an infinite run. The 
interface between the system and the environment is specified by a signature {1,0), where / and O are 
two disjoint sets of input and output signals, respectively. Each sequence of inputs results in a sequence 
of outputs. We therefore formalize system runs as infinite words over O x I, and complete system 
behaviors as infinite 0-labeled trees that branch according to /. In this section, we give a quick summary 
of the standard terminology for infinite words and trees. We also describe linear-time temporal logic 
as an example logic for the specification of reactive systems, and automata on infinite words and trees, 
which provide the basic machinery for the constructions of the paper. For a more detailed background 
on word and tree automata in the context of reactive systems, the reader is referred to [,22 j . 

Words. Given some finite alphabet £, we denote with £* and L"' the sets of finite and infinite words over 
r, respectively. For a reactive system with signature (/, O), we use infinite words in (O x /)® to represent 
runs, and finite words in {Ox I)* to reason about the prefixes of such runs. A word w = {yo,to),{y\,t\) . . ., 
with yj € O and € / for every / € N, describes a run of a reactive system in which yo is put out in the 
first computation cycle, then to is read and yi is put out, and so forth. This definition corresponds to the 
notion of Moore automata [16 ]. 

A subset of is called a word language or a word property. We say that a word w satisfies a word 
property P iff w G P. Given some word w = wqwi we denote by w' = wtwt+i ... the suffix of w 
starting in position /. 

Linear-time temporal logic. Linear-time temporal logic (LTL) fTS\ is a commonly used logic to 
express properties over runs of a system. Formulas in LTL aie defined with respect to a set of atomic 
propositions AP. For a reactive system with signature (/, O), we assume that there exists a corresponding 
pair of sets of atomic propositions {APj,APo) such that / = 2^^' and O = 2^^" We set AP = APj UAPq- 
The syntax of LTL is defined inductively as follows: 

• For all atomic propositions x € AP, x is an LTL formula. 

• Let 01 and 02 be LTL formulas. Then -i0i, (0i V 02), (0i A 02)» X0i, F0i, G0i, and (0iU02) are 
also valid LTL formula. 

The validity of an LTL formula over AP is defined inductively with respect to an infinite word 
w = wqWi . . . G {2^^)'^. Let 0i and 02 be LTL formulas. We set: 

• w \= pif and only if (iff) p G wq for p G AP 

• w ^ -■ VA iff not w ^ V'^ 

• w ^ (01 V 02) iff w ^ 01 or W ^ 02 

• w ^ (01 A 02) iff w ^ 01 and w ^ 02 

• w\= X01 iff w^ \= 01 

• vv ^ G01 iff for all / G N, w' \= 0i 

• w ^ F01 iff there exists some / G N such that w' \= 0i 

• w ^ (01 U02) iff there exists some / G N such that for all < 7 < /, w^ \= 0i and w' \= 02 
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Given an LTL formula y over AP, the set of words satisfying the formula is a word language over 
2^'', denoted as 

Word automata. Like LTL formulas, word automata represent word languages. Formally, a (universal 
or nondetenninistic) parity word automaton is a tuple .sif = {Q,'L,5,qQ,a), where 2 is a finite set of 
states, £ the alphabet of , 5 : Q xL ^ 2^ the transition function of £/, qo ^ Q the initial state and 
a : 2 — )• N is the coloring function of £/. If a maps all states to or 1, then £/ is called a BUchi 
automaton. If a maps all states to 0, then is called a safety automaton. In this case, we omit a from 
the tuple. 

To determine if a given word w = wqW\ ... E S'" is in the language of the word automaton (we also 
say w is accepted by i/) we consider the runs of on w. A run on w is a sequence 7i = tIqH\ ... € Q'^ 
such that tZq = qo and for all / G N, 7r,+i € 5(71;, w,). We say that n is an accepting run if max(inf(7r)) is 
even, where inf is the function that maps the sequence 71 to the elements occurring infinitely often in it. 

If i?/ is a nondeterministic automaton, then jz/ accepts the words for which there exists an accepting 
run. On the other hand, if iz/ is a universal automaton, then iz/ accepts those words for which all infinite 
runs for the word are accepting. We call a nondeterministic automaton where, for all q ^ Q, x ^ S, we 
have |5(g,A;)| < 1, deterministic. 

The connection between LTL and word automata is well-established in the literature. An LTL 
formula can be converted to an equivalent Biichi automaton of size exponential in the length of the LTL 
formula [i25l . where we define the size of an automaton to be |r| ■ 

Trees. We use words to describe runs of a reactive system and trees to describe the overall behavior of 
a reactive system, i.e., its output for all possible sequences of inputs. Given finite sets / and O, we define 
the set of 0-labeled I-trees Of as all pairs {T, t) such that T C /* is a prefix-closed set and r : T ^ O 
is a function that labels each node of the tree with an element of O. We call / the set of directions of 
the tree and O its set of labels. Whenever clear from the context, we omit / and O and just call {T,r) a 
tree. We call a tree {T,r) for which T = I* holds, a. full tree. A tree property or tree language y over 
// 0-trees is a subset of Of. A tree (/*, t) with T : /* ^ O is a representation for a reactive system with 
signature {1,0). The runs of the reactive system correspond to the paths through the tree, i.e., each run 
is a word 71 = sotoS\ti ... £ {O x /)® such that for every n £ No, fo^i • • • tn-i G T and t(?o • • • t„-i) = s„. 
We say that n is maximal if 71 is infinite or for 71 = ^'o^O'^i^i • • • ^Jn, for no x £ I, we have to... t^x G T . 

Tree automata. We use tree automata to define properties of the overall behavior of a reactive system. 
A (nondeterministic or universal) parity tree automaton is a tuple .s/ = {Q,I, O, d,qo, a) with a finite set 
of states Q, a finite set of directions /, a finite set of labels O, a transition relation 5 C Q x O x [I ^ Q), 
and a coloring function a : 2 — )• N. We say that a tree automaton £/ is deterministic if for each q £ Q 
and y £ O, there exists at most one element of the form {q,y,f) for some /€(/—)■ 2) in 5. As for word 
automata, we call £/ a safety automaton if a maps all states to and a Biichi automaton if a : 2 — {0, 1}. 

Given an 0-labeled /-tree (r, t), we say that some 2-labeled /-tree {T,-,Tr) is a run tree of jz/ and 
(r, t) if Tr(£) = qo and for all t € T,-, there exists some f £ {I ^ Q) with (1^(0) "^(0)/) ^ ^ ^u^h that for 
all X with f{x) = q for some q £ Q, we have ■Tr{tx) = q. We say that {T^, T^) is an accepting run tree if 
Tr = T and for all infinite paths 71 = qotoqiti ... in {T,-, T^), the highest number occurring infinitely often 
in the sequence a{qo)(x{q\) ... is even. For a nondeterministic parity tree automaton £^ , we say that 
(r, t) satisfies (and, equivalently, that {T, t) is accepted by iz/) if there exists an accepting run tree 
for (r, t) and iz/. A universal parity ti^ee automaton accepts a tree (r, t) if all full run trees for (r, t) 
are accepting. The language of , written ^(iz/), consists of all accepted trees. 
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For a state ^ G 2 of a tree automaton £/ = {Q,I,0,5,qo,a), we define the language of q £ Q as 
the language of the automaton £/' = {Q,1, 0, 5,q, a). Likewise, the language of a state ^ S 2 in a word 
automaton £/ = 5,qo,oc) is defined as the language of the automaton £/' = {Q,L,5,q, a). 

An automaton is called pruned if it has no states with empty language. We define the size of a tree 
automaton £^ as = + We say that a tree or word property is a regular property if it is the 
language of a parity tree or word automaton, respectively. We say that qiq2...qn S Q" for some « e N 
is a cycle in a tree automaton £/ if q\ = q^ and for every /€{l,...,?i — 1} there exist y £ O and x G / 
such that f{x) = for some / with {qi,y,f) G d. 

From word to tree properties. We often use word properties to describe the overall behavior of 
a reactive system by requiring that every path of the tree satisfies the word property: for example, a 
reactive system satisfies a specification given as an LTL formula iff the LTL formula is satisfied for 
all possible input sequences. To formalize the translation from word to tree properties, we introduce a 
special spreading function. The spreading yi/oiv) of ^ word language i/a C (f? x 7)® for a signature 
(7, 0) is defined as follows: 

-^i/oiv) = {(/*, t) I = toh . . . € 7^" : irie),to){r{to),h){r{toti),t2) . . . G »/^} 

It is straightforward to implement the spreading function as a construction that builds a tree automaton 
from a given deterministic parity word automata, such that the language of the tree automaton is the 
spreading of the the regular language represented by the word automaton. 

Definition 1. Given a deterministic parity word automaton si = {Q,'L^8^qQ,(x) with T, = O x I, we 
define ^ijoi-s^) = for the deterministic tree automaton s/' = {Q,I,0,5' ,qo,a) for which for all 
q & O and f {I Q) we have {q,x, f) G 5' if and only if for all y (zl, f(y) = q' for some q' €z Q 

if and only if (q,{y,x),q') G 5. 

Linear-time and branching-time safety. Given a word language y over some alphabet £, we say that 
i/A is a linear-time safety property if for every w = wqWi . . . G such that w ^ i^, there exists some / G N 
such that for all words w' G S, wqwi . . .Wiw' ^ Y fll- The prefix wqwi . . . w, is also called a bad prefix 
word. If i/A is a regular property and also a safety property, then y can also be represented as a safety 
word automaton. 

Given some tree {T,t), we say that some tree {T',z') is a finite prefix tree of {T,t) if T' C T, T' 
is finite, and for all t G T' , we have T'{t) = x{t). A tree property y over 7/0-trees is a universal safety 
property [ 12] if all trees, for which all finite prefix trees are the prefix of some tree in are also in Y- 

3 Reactive Safety 

This section gives a formal definition of reactive safety. We start by considering general word and tree 
languages and will only later, in Section |4j focus on the special case of regular properties, as defined by 
automata or temporal logic formulas. We show that the class of reactive safety properties lies strictly 
between linear-time safety and universal safety. We also prove that reactive safety captures the largest 
class of properties whose satisfaction by a reactive system can be checked by testing whether all runs of 
the system satisfy some linear-time safety property. 

Unlike standard linear-time safety, reactive safety distinguishes between inputs and outputs. We 
therefore parameterize reactive safety with the signature of the reactive system and refer to reactive 
safety with respect to signature (7, 0) as 7/0-safety. 
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Definition 2. Let I be a finite set of inputs, O be a finite set of outputs, and let xj/ be a set of full 
0-labeled I-trees. We say that \j/ is a reactive safety property with respect to input / and output O, 
or short an //0-safety property, if, for every 0-labeled I-tree (r, t) that is not contained in Y> there 
exists some node t = to ■ ■ -tk ^ T (the violation starting node) such that all I/O-trees {T', t') for which 
z{to . . . ti) = t'(?o ■ • ■ ti) holds for all Q<i<k,we have that {T', z') ^ yf- 

Informally, reactive safety thus means that whenever a tree does not satisfy the property, there exists 
some prefix path through the tree such that at the end of the path, it is clear that there exists no tree 
containing this prefix path such that the overall tree satisfies the property. The notion of reactive safety 
extends to word properties: A word property y over the alphabet O x / is an //0-safety property iff the 
spreading jq ( i//) is an //(9-safety property. In the following, we omit / and O whenever clear from the 
context, and simply refer to reactive safety. 

The difference between the definitions of linear-time and reactive safety is subtle: In the case of 
linear-time safety, a word is accepted iff it does not have a bad prefix; hence, on a tree, every violating 
path must have a bad prefix. In the case of reactive safety, a tree is accepted iff it does not have a violation 
starting node: the difference thus is that for reactive safety, a single path to the violation starting node 
suffices for the entire tree, whereas for linear-time safety, every violating path needs to have a bad prefix. 

We now compare reactive safety to linear-time and universal safety. The following theorem shows 
that linear-time safety is a stronger requirement than reactive safety. 

Theorem 3. Let Xj/ be a linear-time safety word property over some alphabet OxL Then yj/o{w) ^ 
reactive safety property. 

Proof. Let be a tree that is not contained in y'lioi'^)- This means that there exists some path 

t = toti . . . G in the tree such that w = (T(e),?{))(T(?o),?i)(i'(?o?i),?2) • • • is not contained in the safety 
word property Y- The definition of linear-time safety assures that then, there is also some prefix of length 
k for some k&N and t such that no word starting with (t(£),/o)(t(/o),?i)(t(?o?i),?2) • • • ('^(fo • ■■tk-i),tk) 
is in Xj/. In this case, we know that to...tkis a violation starting node in (/*, t). Thus, all trees rejected 
by S^i/oiw) have a violation starting node, which makes S^iioiw) ^ reactive safety property. □ 

The coffee machine example from the introduction shows that a reactive safety property is not nec- 
essarily also a linear-time property. Comparing reactive and universal safety, we immediately see that 
reactive safety is stronger than universal safety, because the path to the violation starting node is also a 
finite subtree. 

Corollary 4. Every reactive safety property is also a universal safety property. 

The converse is not true. Formalizing the example property from the introduction, consider 
/ = {0, 1}, O = {0, 1} and the fi-ee property B = {{T,t) \ T = /*,t(0) / t(1)}. This property is cer- 
tainly universally safe, but not a reactive safety property, because it relates the labels along two paths; a 
violation can therefore not be blamed on a single violation starting node. 

Reactive safety thus lies strictly between linear-time and universal safety. As discussed in the in- 
troduction, one can in fact view reactive safety as the natural connection point between Unear-time and 
branching-time safety, because it represents the largest class of properties whose satisfaction by a reac- 
tive system can be checked by testing whether all runs of the system are contained in some Unear-time 
safety property. This characterization of reactive safety is proven in the following theorem. 

Theorem 5. A tree property Xf/ C Of is an I/O-safety property iff there exists a word property Xj/' C 
[O xl)^ such that precisely the trees in Y satisfy Xj/ along all of its paths. 
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Proof. The "if" direction is implied by Theorem |3] For the "only if" direction, we define y' to contain 
all paths in trees in y that do not contain a violation starting node. Then, y' accepts the words needed 
for the claim. Surely, y' is also a safety property as for every path not in y'^ the path must contain a 
violation starting node, and every other path with the same prefix up to this node is also not in y'- D 

We conclude this section by returning to the coffee machine example from the introduction. We 
specified the coffee machine with the two LTL formulas 

Yi = G{c^X{f\/\=b)) and Y2 = G{e ^XG{^b)). 

The conjunction Yi ^ V2 is an //0-safety property for the signature (/ = 2^' "^^, O = 2^^'^^). To see this, 
consider a tree {T, t) that does not fulfill Yi A W2 along all of its paths. Violation starting nodes are: 

1. the nodes that witness that Yi has been violated along the path to the node, and 

2. the nodes t = to...tk for which c G t^^i, but / ^ T(fo • • -fyt-i) and e G tk, as any such prefix path 
{z{e),to){r{to),ti) . . . {z{to .■.tk-i),tk) cannot be extended to an infinite path that satisfies Yi ^ ¥2 
(as explained in the introduction). 

It is not obvious to see that the set of trees satisfying Yi ^ ¥2 is precisely the set of trees that do not 
have a violation starting node corresponding to one of the two node types above. In the next sections we 
will develop the necessary automata-theoretic machinery to answer this question. We will return to the 
example in Section [531 

4 Regular Reactive Safety Properties 

We now give an automata-theoretic characterization of the regular //0-safety tree properties. Let y be 
an //0-safety property. In analogy to the definition of tight automata for linear-time safety languages ||9], 
we call a deterministic word automaton £/ tight for y if ^i/oi-^) accepts precisely the trees Y- In the 
following, we establish the fact that all regular reactive safety properties have regular tight languages, 
which immediately implies that the class of deterministic safety tree automata represents precisely the 
reactive safety languages. 

The key step is to define a function W, which converts a tree automaton to a word automaton. 
Intuitively, W is the inverse operation to spreading a word automaton. The W function is the missing 
link in the characterization of the regular reactive safety properties - we show that a property, represented 
as a (pruned) tree automaton £/ is //0-safe if and only if we have ^{^Z) = ^{3^j/o{^{-sZ)))- 

We begin with a lemma about rejecting run trees for reactive safety properties. 

Lemma 6. For a pruned nondeterministic parity tree automaton , representing an 1/0-safe property, 
and a full tree {T, t) not in the language of £/, no run tree {Tr, Tr) for {T, t) has t G T^for the violation 
starting node t = to.. .t„ £T. 

Proof. We show the claim by assuming the converse and deriving a contradiction. In particular, we build 
a second full tree (r', t') for which the path from the root to t is the same as in {T, t), but that is accepted 
by and thus contradicts the fact that f is a violation starting node for £/. Without loss of generality, 
we assume that f is a violation starting node that does not have a prefix which is also a violation starting 
node. 

We assume that iz/ = {Q,1, 0, 5,qo,J^) for Q = {qo, . . . If ^2/ is pruned, then for every state qi, 
there exists some full tree {T',r') that is in the language of qt, with the corresponding run tree (r/, T,'). 
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In {T',z'), we replicate the path to the violation starting node of {T,t). We set t'(£) = t(£) and 
z'{to . . . ti) = T(fo . . . ti) for all / G {0, . . . , n — 1 }. The corresponding accepting run tree (r/, T,') is also 
copied along this path, i.e., T^(fo • • • tix) = T(fo • • • tix) for all / G {0, . . . , « — 1 } and x ^l, and furthermore 
T^(e) = Tr{e). This makes sure that (r/, t^) is a valid (and complete) prefix run tree for the parts of (r, t) 
defined so far. Note that the nodes of (r^, Tr) referred to here are actually all well-defined as otherwise t 
would have a prefix that is also a violation starting node. 

For the rest of (r, t), we copy the trees of the set {(r°, t"), . . . , (7™, T™)} declared above as sub-trees 
into (r, t) and set x'{tQ . . . ttxt') = x''{t') for G {0, . . . , m} such that qk = Tr{to ■ ■ ■ Ux) and all / G {0, . . . , n}, 
X ^ I and t' G /*. For the corresponding run tree (T/, t^), we do the same and set T^(fo • • • Uxt') = T^{t') 
for k € {0,... ,n} such that = Zr{to--- Ud) for all / G {0, . . . , n), x ^ I and t' G /*. The resulting run 
tree is full and also accepting as all run trees in {(r/*, t,°), . . . (7^*", t^)}, which form the suffix run trees 
in (r/,T^), are accepting. □ 

Definition 7. Given a nondeterministic parity tree automaton = {Q,I,0,5,qo,a), we define = 
s^' for the deterministic safety word automaton s^' = (2', S, 5', {qo})for which 1. = O x I, Q' = 2^ and 
for all {x,y) G Landq,q' G Q', we have {q, {y,x),q') G 5' if and only ifq' = G 2 | 3^ G 2, / G : 

q G qJ{^) =q'}- 

Theorem 8. The language of a pruned nondeterministic parity tree automaton is I/O-safe if and only 
if^{^,lo{W{ssf)))=^{j^). Furthermore, if^{£^) is I/O-safe, then W{.sif) is tight for ^{ss/). 

Proof. =>: Assume that some tree {T,x) is not accepted by ^. Since represents an //0-safety pro- 
perty, there must exist a violation starting node t £T. As .e/ is pruned, all run trees {Tr^x^) thus need 
to have that t (Lemma [6l). Since all rejected trees have this property, to check whether a tree is 
rejected, we thus only need to test whether any path in the tree necessarily leads to a corresponding finite 
maximal path in the run tree. By Definition |2l 'W{£^) rejects precisely these paths (due to the power-set 
construction involved) and is thus tight for ^(jz/). By Definition [H =^3//o(^('2^)) rejects precisely the 
trees having such a path. Thus, the languages of ^i/oi^i-^)) jz/ are identical. 

<^=: As the ^ijp function converts a safety word automaton into a deterministic safety tree automa- 
ton that accepts a tree if and only if all paths in the tree are accepted by the safety word automaton, 
any outcome of applying the function is necessarily an //0-safety property. As we assume that 
■^{^ilo{'^{^))) = -^{s^), this means that is also an //0-safety property. □ 

We conclude the characterization of the regular reactive safety properties with the following theorem: 

Theorem 9. The set of regular I/O-safe properties coincides with the set of properties representable as 
deterministic safety tree automata with directions I and labels O. 

Proof. =^: Assume that we have some regular //0-safety property y/ given. Since i// is regular, we can 
construct a nondeterministic parity tree automaton from it, and by Theorem [8] a deterministic safety 
tree automaton with directions / and labels O. 

'^=: As a deterministic safety tree automaton accepts an 0-labeled /-tree if its run tree is complete 
with respect to /, all trees that ai^e not accepted by some detenninistic safety tree automaton =2/ have 
some finite maximal path in the run tree. Due to the determinism of £^ , when taking the corresponding 
path in the rejected tree, copying this path into a different tree causes the new tree to be rejected by 
as well. □ 
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5 Detecting Reactive Safety 

The goal of this section is to check if a given property, represented as an automaton or an LTL formula, 
is a reactive safety property. We give separate constructions for tree and word properties. The algorithms 
of the first subsection analyze the languages of nondeterministic and deterministic parity tree automata. 
The algorithms of the second subsection analyze word languages that are either given as LTL formulas 
or as nondeterministic Biichi automata. 

5.1 Reactive Safety for Tree Languages 

Our algorithm for nondeterministic parity tree automata is based on the observation that the language 
equality requirement in Theorem |8]can be weakened to language containment by the fact, shown in 
the following lemma, that the language of the tree automaton £/ is always contained in the language of 
£^i/q{W{£/)). We will show that this condition can be checked in single-exponential time. Using Muller 
and Schupp's complementation-by-dualization lfT4ll . we first obtain an automaton for the complement of 
This language is then intersected with the language of 3^j^q{W{£/)), and the emptiness of the 
resulting automaton is checked with a parity game. 

Lemma 10. For a nondeterministic parity tree automaton a/, it holds that ^{s/) C ^[£/'iiq(W{s^))). 

Proof. By the construction of =^/o(#'(i2/)), we have that C ^(=^/o(#'(i2/))), because the W 

function performs a power-set construction over £^ , so all missing paths in a run tree for S^i j q{W {^s^^) 
imply a missing path in a run tree for . □ 

Combining Theorem[8]and LemmafTOl we obtain that reactive safety can be characterized as language 
containment between ^iio{''^{s^)) and .s/ . 

Corollary 11. The language of a nondeterministic parity tree automaton is I/O-safe if and only if 

Using Corollary [TT] we now devise an automata-theoretic algorithm for checking for reactive safety. 

Lemma 12. Given a nondeterministic parity tree automaton a/ = (Q,I,0,5,qo,oc) that runs on 
0-labeled Ftrees, the universal parity tree automaton = {Q,I,0,5,qo,a + l) accepts a tree {I* , t) iff 
{I* , t) is not accepted by £/. 

Lemma 13. /@ 1731/ Given a universal parity tree automaton with n states and c colors, we can 
construct an equivalent nondeterministic parity tree automaton ,JV with n'^^'^'"^ states and 0{c-n) colors. 

Theorem 14. Given a nondeterministic parity tree automaton si = {Q,1, 0, 5,qo, a), checking whether 
S£{^s^) is I/O-safe (and obtaining a tight automaton for ^{s^) in case of a positive result) can be done 
in EXPTIME. 

Proof. As a first step, we identify and remove all states of £/ with an empty language. The emptiness 
check (by reduction to solving parity games) can be done in time n^^'-'^ |7 |. Let the resulting automaton 
be called By Corollary [TT] £/' is I/O-safe iff the language of ■^i^q{W{£/')) is contained in the 
language of £/'. We check whether ^{£^[/o{W {£/'))) n^(^/') = 0. Applying LemmalHl we translate 
£/' into the universal automaton ^ that recognizes the complement language. ^ has the same size as 
Applying Lemma[T3l we obtain an equivalent nondeterministic automaton ,yV with n'^^'^'"^ states and 
0{c-n) colors. Computing the language intersection with the deterministic automaton 
which has 2^^*^) states and a single color, we obtain the nondeterministic product automaton with 
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^o(c n) statgs Q^(, . colors. The emptiness test of a nondetemiinistic parity tree automaton with 
m states and d colors can be done in nf'^'^^ time Q. The overall time complexity is thus rP^^ '" \ By 
TheoremEl is tight for ^(i/') and thus also tight for ^{s/). □ 

If the tree language is given as a deterministic automaton, we can check whether the language is a 
reactive safety property with a simpler construction, where we first prune states with empty languages 
from the automaton and then search for a rejecting cycle in the remaining state graph. This construction 
is analyzed in the following theorem and will be used for the analysis of word languages in the next 
subsection. 

Theorem 15. Given a deterministic parity tree automaton si over I/O with n states and c colours, 
checking whether J^[si) is I/O-safe (and obtaining a tight automaton for ^[s/) in case of a positive 
result) can be done in time n^^'^\ 

Proof. Again, as a first step, we identify and remove all states of £/ with an empty language. Let the 
resulting automaton be called £/'. As a second step, we check if £/' contains a rejecting cycle, which 
can be done in polynomial time 111. contains a rejecting cycle iff there exists an input tree that is 
rejected and has a (unique) full run tree - which is the case exactly if ^{s/'), and hence ^{s/), is not 
safe. 

To obtain the tight word automaton, we simply compute For deterministic tree automata, the 

subset construction employed in Definition |2]does not increase the number of states in the automaton. If 

does not contain any rejecting loops, then ^{^i/q{W {£/')) = ^{s/'), and, hence, is tight 

for if (^). □ 



5.2 Reactive Safety for Word Languages 

We reduce the analysis of word languages, given as LTL formulas or as word automata, to the case 
of deterministic parity tree automata solved in Theorem [15] For this purpose, we translate the given 
formula or automaton into a deterministic parity automaton, which causes a doubly-exponential or single- 
exponential blow-up, respectively, in the number of states. 

Theorem 16. Given a formula Y linear-time temporal logic over the atomic propositions AP = 
APj [JAPq, for I = 2^^' and O = 2^^^', the problem of determining whether the set of O -labeled I -trees 
satisfying \j/ along all paths is I/O-safe (and obtaining a tight automaton in case of a positive result) is 
lEXPTIME-complete. 

Proof. For the upper bound, we translate the LTL formula of size n into a deterministic parity word 
automaton with at most 2^ "'°^" states and 3(« + 1)2" colors f24l. We then consider the tree automaton 
^ilo{s^), which has the same number of states and colors. Applying Theorem [T5l we can thus check 

whether if (i?/) is a reactive safety property and obtain the tight automaton in time 2^''* "' . 

For the lower bound, we reduce the realizability problem of LTL, which is 2EXPTIME-complete 
|[T9l . onto //0-safety checking. Let i/A be a specification over AP = APj UAPq that is to be checked for 
realizability. We take i//^' = i/a A G Fa for some a ^ AP. Then, xj/' is realizable over 2^^' 12^^° if and only 
if is not 2'^^'/2'*^ou{«}.safe: 

• If i/A is realizable over 2^^' 12^^°, then the GFa conjunct in i//' ensures that is not 2^^'/2'*^o^{''}- 
safe. 

• On the other hand, if ^ is not reahzable over 2^^'I2^^° , so is i//^' over 2'^^'/2'*^''^{''^ As the empty 
tree property over 2^^'/2'*^''^{'^} has the property violation node £, \^ is 2'*^V2'^^''^^"J^-safe. 
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Figure 1: Deterministic parity word automaton for the specification G(c X(/ V fb)) AG{e ^ 
XG(-ift)). The states q2 and have color 1, the remaining states have color 2. We use overlined atomic 
propositions to denote negated input or output bits. For example, the expression fc refers to all elements 

X G I'^^'U^^o with / € A- and c ^ x. 

□ 

Theorem 17. Given a nondeterministic Biichi word automaton over the alphabet L = O x I, the 
problem of determining whether £^ is 1/0-safe is EXPTIME-complete. 

Proof. For the upper bound, we translate the given nondeterministic Biichi word automaton £/ into 
an equivalent deterministic parity word automaton. If the Biichi automaton has n states, the resulting 
deterministic parity word automaton £/' has at most 2'^("'°s") states and 2n+ I colors ifTTl l24l . With- 
out changing the size of the automaton, we transform into the deterministic parity tree automaton 
■^i/oi-^') ^iid ^PPly Theorem [TSl The check whether ^{^Z) is safe, and, in case of a positive result, the 
construction of the tight automaton, thus takes at most 2'^("^'°§") time. 

We obtain a matching lower bound from LTL realizability with a similar reduction as in Theorem [T6] 
Since the exponential-time hierarchy is strict, the translation from LTL formulas to nondeterministic 
Biichi automata can be done with only an exponential blow-up f25l, and the LTL realizability problem 
is 2EXPTIME-complete, the realizability problem from nondeterministic Biichi automata is EXPTIME- 
hard. We build an automaton for the LTL formula GFtz. As taking the conjunction of two Biichi automata 
results in only polynomial blow-up ||23]| . the rest of the construction is analogous to the proof of Theo- 
rem [16] □ 

5.3 The Coffee Machine Example 

We finish this section with the coffee machine example from the introduction. The specification is 
a conjunction Yi ^ ¥2 of two LTL formulas, Yi = G(c — X(/ V fb)) (whenever the user presses the 
coffee button, brewing must eventually start or a failure must be signaled immediately) and i//2 = G(e — > 
XG(-iZ>)) (whenever the emergency shutdown button is pressed, brewing stops permanently), where c 
and e are inputs and b and / are outputs. 
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The specification can be translated into the detemiinistic parity word automaton over the alphabet 
2'^'<^'bJ shown in Figure [T] The states ^o, q\ and q2 correspond to the case that the emergency button 
(input e) has not been pressed yet. When the button is pressed, the run of the automaton moves to the 
states q-i, q4 and ^5, which mirror the behavior of qo,qi and q2, but take into account that the emergency 
button has been pressed in the past and the b signal is therefore no longer allowed. 

To check whether the language of =2/ is a reactive safety property, we spread £/ to a tree automaton 

= {Q,I,0,8,q'Q,^) with the same set of states, and prune all states with empty language. In is/', 
state ^5 has the empty language and is therefore removed. Note that this also removes all transitions 
(9) J)/) £ 5 for which for some G /, /(/) = ^5. As a result, there are no transitions of the form 
{q\,{b},f) or {q\,^,f) anymore. Hence, state ^2 has become unreachable. 

Since all remaining reachable states have color 2, there are no infinite paths in the automaton on 
which the highest color occurring infinitely often is odd. Hence, the automata and s^' represent a 
reactive safety property. 

6 Conclusion 

In this paper, we have extended the classic notion of Unear-time safety from closed systems, where all 
actions are under the system's control to open reactive systems, where the behavior is characterized by 
the interplay of uncontrolled environment inputs and controlled system outputs. Reactive safety is a 
larger class of properties than standard linear-time safety; at the same time, the algorithmic advantages 
are retained, because it is still possible to translate any (regular) reactive safety property into a safety 
word automaton, which can be used, for example, as a runtime monitor. In fact, reactive safety is the 
maximal set of properties whose satisfaction can be checked by testing all computation paths against a 
linear-time safety property. It is conceivable, however, to further extend the class of safety properties 
if other systems aspects, beyond the inputs and outputs, are taken into consideration. A promising 
candidate is incomplete information: specifications are sometimes concerned with atomic propositions 
that can neither be read nor written to by the system. Such an extension would classify an even larger 
set of properties as safety. Extending the algorithms of this paper to this case is straightforward using 
standard automata-theoretic techniques for synthesis under incomplete information lUl. 
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